Overview

overview

7

Static

static

3

2024-04-06...py.exe

windows7-x64

7

2024-04-06...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2024, 00:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-06_51bd6b960e960cb7508f65002df3fa0c_mafia_nionspy.exe

  • Size

    328KB

  • MD5

    51bd6b960e960cb7508f65002df3fa0c

  • SHA1

    02072c3154226d499295414e6f5f4c96ef092760

  • SHA256

    3a2560cf2bfd971577c28bc27272cfe7fdfdef2bdb4b7590d8928cd6319bee18

  • SHA512

    3644a3b419092f2e8783ea872a3de47331ac4073c1b281b0472d0103fef871f65ed58fe68ac5793ffdab909febbc94705fe62d0f6ef165b0f7d1aeaa8e5ecd16

  • SSDEEP

    6144:b2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG89gkPzDh1v:b2TFafJiHCWBWPMjVWrXf1v

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-06_51bd6b960e960cb7508f65002df3fa0c_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-06_51bd6b960e960cb7508f65002df3fa0c_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3600
    • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1336
      • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe"
        3⤵
        • Executes dropped EXE
        PID:2976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe
    Filesize

    328KB

    MD5

    2cc4f112a4d9ef2b67d6c24cae8bd9ed

    SHA1

    63b9a73ac12f9273c70190713a2c7c5f9843c933

    SHA256

    16e6348a4cd61399cb1b8b76a1d5d2f54f8c8cc6dba0bfc4b6660a8205813ad9

    SHA512

    a79b3e7110dadc84e1350e732bde3a49590b4c7f6e17a2a0b0aa3890479e335c9ce918788cad23546ba5235f27ec57e88bf3ecb099255f56c9994c11635cf564

    Download Submit